SE Schweden

PTS' regulations target electronic communications networks and services as defined in Directive 2018/1972.
However, to the extent that e-services, for example remote customer service or the sale of subscriptions, are subject to the rules on the protection of processed data under Directive 2002/58/EC (ePrivacy Directive), parts of the provisions may be subject to the notification obligation.

The Swedish Post and Telecom Authority's (PTS) regulations on security of networks and services

The provisions in the attached regulations, which PTS considers may be subject to the notification obligation under the Ordinance (1994:2029) on Technical Rules, are as follows:

Chapter 4, Section 1 Identification and documentation of information processing assets
Chapter 5 Sections 1-4 Analysis of the risk that information processing assets cause or suffer from privacy incidents. Requirements on times and content of such risk analysis.
Chapter 6, Sections 1-4 Risk management and measures following risk assessment
Chapter 7, Section 1 Measures concerning access and authorisation to processed data.
Chapter 8, Section 1 Measures to ensure that processed data that is permanently stored is protected.
Chapter 9, Section 1 Logging of processed data
Chapter 10 Section 1 Encryption during the transmission of processed data
Chapter 10 Section 4 Requirements for recognised encryption method
Chapter 10 Section 5 Requirements for procedures for encryption and management of encryption keys
Chapter 13, Sections 1-2 Internal handling of privacy incidents and requirements for keeping records of privacy incidents.

The provisions set out above are affected both by Directive 2002/58/EC (ePrivacy Directive) and Directive (EU) 2018/1972. The notification concerns only the part relating to Directive 2002/58, since Directive 2018/1972 is covered by the telecom exemption. No special Swedish provisions concerning e-services.